[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IV sizes for AES candidates
>For one, it asks about different modes of operation instead of DES. I
>suspect that the same pressures that are pushing NIST to hold a modes
>of operation workshop in October
>but I think that that question is (almost) orthogonal to the choice of
>underlying block cipher. There are a fair number of subtle issues in
>mode of operation design, and I don't think that the IETF is the right
>issue to explore ost of them. (Practical or implementation aspects
>are, of course, something we're good at.)
If the consensus of the group is that we should stick with the
tried-and-true CBC mode, that's fine with us, and the next version of the
draft will reflect that.
>The modulus sizes suggested for different key lengths are quite high,
>and I wonder if they're realistic. I mean, a 15430 bit modulus for
>Diffie-Hellman is just not going to happen. I'm particularly concerned
>by this sentence:
> Implementations are encouraged to use the largest key sizes they can
> when taking into account performance considerations for their partic-
> ular hardware and software configuration.
>It isn't clear to me that there is any real security gain from using a
>256-bit symmetric key instead of a 128-bit key, and I don't know that
>we should be encouraging it. After all, the expense is borne by two
>systems, not just one.
> --Steve Bellovin
I guess that statement should be toned down - out of context it does sound
The only keysize required by the draft is 128 bits; the others are
optional. We are interested in comments from the list - should the other
key sizes be mentioned at all? any other comments on the "IKE Interactions"
By the way, has anyone else implemented any of the AES candidates in IPsec